A Prioritized Risk Approach to Data Security

Feb 20, 2019

A new approach to security strategy is required – one that is based more on resilience than on prevention. It’s become more important for a security team to quickly identify and respond to an attack to minimize the impact of risks to the business rather than trying to prevent attacks from occurring. The old castle-and-moat strategy simply cannot survive the new threat landscape.

No organization can prevent every cyberattack. And none has the resources to protect all of its data assets, devices and infrastructure uniformly. Highly virtualized distributed computing architectures, cloud-based applications and increasingly mobile users have opened new attack surfaces and vectors for cybercriminals and malicious insiders by erasing the traditional network perimeter. These bad actors exploit vulnerabilities with more sophisticated and innovative attacks that target privileged users who have access to valuable data assets.

The growth of containers and microservices and the emerging Internet of Things (IoT) ushers in a new wave of apps and connected devices, exponentially increases the amount of data at risk. These trends marginalize the effectiveness of traditional network and perimeter security solutions, which were designed to prevent earlier generations of malware.

Advanced persistent attacks (APTs) succeed because many organizations lack a cohesive security approach that might prevent or rapidly detect an attack. Legacy stateful firewalls, intrusion prevention systems, Web gateways, antivirus software and email anti-spam solutions have proven to be no match for the current threat environment.

So as APTs expand targeted threat surfaces, why do organizations still invest most of their security budget in yesterday's preventive technologies? Security strategy needs to focus on finding and rooting out these modern threats.

A “Contain and Respond” Strategy

In this environment, security teams need to shift their focus – and resources – from prevention to resilience. This entails accepting that their organization is already compromised. This perspective better prepares them to quickly identify an attack, contain it from spreading, and recover from any losses – minimizing risk exposure for the business. A holistic approach to prioritizing risks takes into account risks across the entire organization.

A “contain and respond” security strategy starts with a holistic approach to prioritizing risks across the organization. These risks include business interruption, intellectual property loss, private data theft, regulatory noncompliance, physical plant and personal injury and reputational damage.

Instead to trying to prevent every threat, security teams target defenses against the highest priority risks – those that can most negatively impact operations and finances. Once risks are prioritized, a multilayered data-centric approach establishes a secure perimeter around the data associated with risks, locks down the data, removes risk from privileged users and provides the information that identifies malicious insiders and possibly compromised accounts.

Just as risks have different priorities, it follows that the different data assets associated with those risks also have different protection and privacy requirements. The data of highest value to attackers – personal identifiable information, intellectual property, customer-specific data and confidential financial information – are also the most valuable “crown jewels” for the security team to protect.

Figure 1. Security, the Data that Underlies Prioritized Risks

Source: Tech-Tonics Advisors

As opposed to conventional security layering by infrastructure, application, device and user, a prioritized risk approach allows the security team to dedicate more resources and attention to the assets that are most important to the organization. This strategy is more proactive and intelligence-based, enabling the security team to better secure the organization’s most valuable data assets, respond to and remediate incidents in a timely fashion and meet GRC (governance, regulatory, compliance) requirements.

It also helps manage escalating security and compliance costs, including team skills. As more functionality is automated, more of the skill set should be skewed towards intelligence – threat analytics, forensics and incident response.

The Need for Greater Intelligence

Traditional signature-based defenses remain a core component of security strategy, protecting against non-targeted malware. But to protect the organization’s most valuable data assets in virtualized, cloud and big data environments, security teams need greater visibility and intelligence. Specifically, they need to know what data is going into these environments, who is authorized to work with this data, when data is attempting to leave and how this data and its users can be monitored while adhering to GRC mandates.

Not surprisingly, the databases and data warehouses that contain the most valuable data – and the servers they reside on – are the primary source of breaches. As organizations increasingly integrate big data with traditional data in their quest to gain deeper insights and improve decision outcomes, threats to these repositories will continue to increases, exposing the organization to more risk. Much of this data also drives decision-making – by both people and machines. If that data were to be tampered with the resulting decision outcomes could be disastrous.

Since big data represents less than 15% of most organizations’ decision-making inputs today, it's recommended that big data be part of broader data management and data governance initiatives. As such, security governance should be linked with data quality and integration components of these programs. Similarly, securing big data should be part of a broader security strategy rather than having a separate big data security strategy that potentially creates yet another data silo.

Automated continuous monitoring of network traffic, application-level awareness and user-specific rules provide granularity into activity in the IT environment. Monitoring that is more pervasive, automated and intelligent allows security teams to better understand risks and prioritize threats.

Software-defined perimeter (SDP) is a relatively new protocol that creates a next-generation access control system for the software-defined network (SDN). A cloud-based SDP controller creates a logical boundary around network and application resources, and only grants access to this virtual perimeter after first authenticating user identity by their device and permissions. Infrastructure and apps remained concealed from potential intruders. Separating the control plane from the data plane allows security teams to build more automated and sophisticated security configurations and dynamically provision standardized security services in the cloud.

The better these tools are integrated, the more of the kill chain can be automated. Unifying disparate data points provides security teams with more actionable intelligence to speed incident response and contain risk. It also facilitates consolidating internal threat intelligence and external services from the cloud and mobile networks.

Automation provides speed and scale to keep up with new architectures and traffic growth. It improves agility and governance, reduces costs and helps security teams mitigate human error and remediate more effectively.

People are Integral to Security Governance

Finally, because people are usually the common denominator in risks, they should be included in security strategy – as they are in effective data governance and disaster recovery and business continuity initiatives. They can be made aware of their vulnerabilities, trained to be more vigilant and incentivized to adhere to policies or penalized for transgressions.

It’s believed that a company’s ability to demonstrate stronger security governance relative to peers will become viewed as a competitive advantage. This includes how it responds to a breach. How a company informs customers, regulators and investors that an attack has occurred and what they are doing/have done to contain it is critical to maintaining security governance and preserving company reputation.

Security is everyone’s business; yet, responsibility still rests with the security team. Security governance should be considered as much a business initiative as data governance or disaster recovery and business continuity. But to be truly effective, it must be endorsed and practiced by senior management and board members. That is the only way common business objectives can be achieved more securely.